$promo_sortie = $res->fetchOneCell();
$page->assign('promo_sortie', $promo_sortie);
+ if ($action) {
+ S::assert_xsrf_token();
+ }
switch ($action) {
case 'add_promo':
case 'del_promo':
break;
}
- if (Env::has('subs')) $watch->_subs->update('sub');
+ if (Env::has('subs')) {
+ S::assert_xsrf_token();
+ $watch->_subs->update('sub');
+ }
+
if (Env::has('flags_contacts')) {
+ S::assert_xsrf_token();
$watch->watch_contacts = Env::b('contacts');
$watch->saveFlags();
}
+
if (Env::has('flags_mail')) {
- $watch->watch_mail = Env::b('mail');
+ S::assert_xsrf_token();
+ $watch->watch_mail = Env::b('mail');
$watch->saveFlags();
}
$uid = S::v('uid');
$user = Env::v('user');
+ // For XSRF protection, checks both the normal xsrf token, and the special RSS token.
+ // It allows direct linking to contact adding in the RSS feed.
+ if (Env::v('action') && Env::v('token') !== S::v('core_rss_hash')) {
+ S::assert_xsrf_token();
+ }
switch (Env::v('action')) {
case 'retirer':
if (is_numeric($user)) {